
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  
<!-- Mirrored from werkzeug.palletsprojects.com/en/1.0.x/middleware/proxy_fix/ by HTTrack Website Copier/3.x [XR&CO'2014], Tue, 15 Sep 2020 06:37:09 GMT -->
<head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>X-Forwarded-For Proxy Fix &#8212; Werkzeug Documentation (1.0.x)</title>
    <link rel="stylesheet" href="../../_static/werkzeug.css" type="text/css" />
    <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
    <link rel="stylesheet" type="text/css" href="../../../../../assets.readthedocs.org/static/css/badge_only.css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../../_static/jquery.js"></script>
    <script type="text/javascript" src="../../_static/underscore.js"></script>
    <script type="text/javascript" src="../../_static/doctools.js"></script>
    <script type="text/javascript" src="../../_static/language_data.js"></script>
    <script async="async" type="text/javascript" src="../../../../../assets.readthedocs.org/static/javascript/readthedocs-doc-embed.js"></script>
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
    <link rel="index" title="Index" href="../../genindex/index.html" />
    <link rel="search" title="Search" href="../../search/index.html" />
    <link rel="next" title="Serve Shared Static Files" href="../shared_data/index.html" />
    <link rel="prev" title="Middleware" href="../index.html" />
    <link rel="canonical" href="index.html">
  <script>DOCUMENTATION_OPTIONS.URL_ROOT = '../../index.html';</script>
   
  
<!-- RTD Extra Head -->

<!-- 
Always link to the latest version, as canonical.
http://docs.readthedocs.org/en/latest/canonical.html
-->
<link rel="canonical" href="index.html" />

<link rel="stylesheet" href="../../../../../assets.readthedocs.org/static/css/readthedocs-doc-embed.css" type="text/css" />

<script type="text/javascript" src="../../_static/readthedocs-data.js"></script>

<!-- Add page-specific data, which must exist in the page js, not global -->
<script type="text/javascript">
READTHEDOCS_DATA['page'] = "middleware/proxy_fix"
READTHEDOCS_DATA['source_suffix'] = ".rst"
</script>

<script type="text/javascript" src="../../../../../assets.readthedocs.org/static/javascript/readthedocs-analytics.js" async="async"></script>

<!-- end RTD <extrahead> -->
</head><body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../genindex/index.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="../../py-modindex/index.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="../shared_data/index.html" title="Serve Shared Static Files"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="../index.html" title="Middleware"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="../../index.html">Werkzeug Documentation (1.0.x)</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="../index.html" accesskey="U">Middleware</a> &#187;</li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <span class="target" id="module-werkzeug.middleware.proxy_fix"></span><div class="section" id="x-forwarded-for-proxy-fix">
<h1>X-Forwarded-For Proxy Fix<a class="headerlink" href="#x-forwarded-for-proxy-fix" title="Permalink to this headline">¶</a></h1>
<p>This module provides a middleware that adjusts the WSGI environ based on
<code class="docutils literal notranslate"><span class="pre">X-Forwarded-</span></code> headers that proxies in front of an application may
set.</p>
<p>When an application is running behind a proxy server, WSGI may see the
request as coming from that server rather than the real client. Proxies
set various headers to track where the request actually came from.</p>
<p>This middleware should only be applied if the application is actually
behind such a proxy, and should be configured with the number of proxies
that are chained in front of it. Not all proxies set all the headers.
Since incoming headers can be faked, you must set how many proxies are
setting each header so the middleware knows what to trust.</p>
<dl class="class">
<dt id="werkzeug.middleware.proxy_fix.ProxyFix">
<em class="property">class </em><code class="descclassname">werkzeug.middleware.proxy_fix.</code><code class="descname">ProxyFix</code><span class="sig-paren">(</span><em>app</em>, <em>x_for=1</em>, <em>x_proto=1</em>, <em>x_host=0</em>, <em>x_port=0</em>, <em>x_prefix=0</em><span class="sig-paren">)</span><a class="headerlink" href="#werkzeug.middleware.proxy_fix.ProxyFix" title="Permalink to this definition">¶</a></dt>
<dd><p>Adjust the WSGI environ based on <code class="docutils literal notranslate"><span class="pre">X-Forwarded-</span></code> that proxies in
front of the application may set.</p>
<ul class="simple">
<li><code class="docutils literal notranslate"><span class="pre">X-Forwarded-For</span></code> sets <code class="docutils literal notranslate"><span class="pre">REMOTE_ADDR</span></code>.</li>
<li><code class="docutils literal notranslate"><span class="pre">X-Forwarded-Proto</span></code> sets <code class="docutils literal notranslate"><span class="pre">wsgi.url_scheme</span></code>.</li>
<li><code class="docutils literal notranslate"><span class="pre">X-Forwarded-Host</span></code> sets <code class="docutils literal notranslate"><span class="pre">HTTP_HOST</span></code>, <code class="docutils literal notranslate"><span class="pre">SERVER_NAME</span></code>, and
<code class="docutils literal notranslate"><span class="pre">SERVER_PORT</span></code>.</li>
<li><code class="docutils literal notranslate"><span class="pre">X-Forwarded-Port</span></code> sets <code class="docutils literal notranslate"><span class="pre">HTTP_HOST</span></code> and <code class="docutils literal notranslate"><span class="pre">SERVER_PORT</span></code>.</li>
<li><code class="docutils literal notranslate"><span class="pre">X-Forwarded-Prefix</span></code> sets <code class="docutils literal notranslate"><span class="pre">SCRIPT_NAME</span></code>.</li>
</ul>
<p>You must tell the middleware how many proxies set each header so it
knows what values to trust. It is a security issue to trust values
that came from the client rather than a proxy.</p>
<p>The original values of the headers are stored in the WSGI
environ as <code class="docutils literal notranslate"><span class="pre">werkzeug.proxy_fix.orig</span></code>, a dict.</p>
<table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first last simple">
<li><strong>app</strong> – The WSGI application to wrap.</li>
<li><strong>x_for</strong> – Number of values to trust for <code class="docutils literal notranslate"><span class="pre">X-Forwarded-For</span></code>.</li>
<li><strong>x_proto</strong> – Number of values to trust for <code class="docutils literal notranslate"><span class="pre">X-Forwarded-Proto</span></code>.</li>
<li><strong>x_host</strong> – Number of values to trust for <code class="docutils literal notranslate"><span class="pre">X-Forwarded-Host</span></code>.</li>
<li><strong>x_port</strong> – Number of values to trust for <code class="docutils literal notranslate"><span class="pre">X-Forwarded-Port</span></code>.</li>
<li><strong>x_prefix</strong> – Number of values to trust for
<code class="docutils literal notranslate"><span class="pre">X-Forwarded-Prefix</span></code>.</li>
</ul>
</td>
</tr>
</tbody>
</table>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">werkzeug.middleware.proxy_fix</span> <span class="kn">import</span> <span class="n">ProxyFix</span>
<span class="c1"># App is behind one proxy that sets the -For and -Host headers.</span>
<span class="n">app</span> <span class="o">=</span> <span class="n">ProxyFix</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="n">x_for</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">x_host</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span>
</pre></div>
</div>
<div class="versionchanged">
<p><span class="versionmodified">Changed in version 1.0: </span>Deprecated code has been removed:</p>
<ul class="simple">
<li>The <code class="docutils literal notranslate"><span class="pre">num_proxies</span></code> argument and attribute.</li>
<li>The <code class="docutils literal notranslate"><span class="pre">get_remote_addr</span></code> method.</li>
<li>The environ keys <code class="docutils literal notranslate"><span class="pre">orig_remote_addr</span></code>,
<code class="docutils literal notranslate"><span class="pre">orig_wsgi_url_scheme</span></code>, and <code class="docutils literal notranslate"><span class="pre">orig_http_host</span></code>.</li>
</ul>
</div>
<details class="changelog">
<summary>Changelog</summary><div class="versionchanged">
<p><span class="versionmodified">Changed in version 0.15: </span>All headers support multiple values. The <code class="docutils literal notranslate"><span class="pre">num_proxies</span></code>
argument is deprecated. Each header is configured with a
separate number of trusted proxies.</p>
</div>
<div class="versionchanged">
<p><span class="versionmodified">Changed in version 0.15: </span>Original WSGI environ values are stored in the
<code class="docutils literal notranslate"><span class="pre">werkzeug.proxy_fix.orig</span></code> dict. <code class="docutils literal notranslate"><span class="pre">orig_remote_addr</span></code>,
<code class="docutils literal notranslate"><span class="pre">orig_wsgi_url_scheme</span></code>, and <code class="docutils literal notranslate"><span class="pre">orig_http_host</span></code> are deprecated
and will be removed in 1.0.</p>
</div>
<div class="versionchanged">
<p><span class="versionmodified">Changed in version 0.15: </span>Support <code class="docutils literal notranslate"><span class="pre">X-Forwarded-Port</span></code> and <code class="docutils literal notranslate"><span class="pre">X-Forwarded-Prefix</span></code>.</p>
</div>
<div class="versionchanged">
<p><span class="versionmodified">Changed in version 0.15: </span><code class="docutils literal notranslate"><span class="pre">X-Forwarded-Host</span></code> and <code class="docutils literal notranslate"><span class="pre">X-Forwarded-Port</span></code> modify
<code class="docutils literal notranslate"><span class="pre">SERVER_NAME</span></code> and <code class="docutils literal notranslate"><span class="pre">SERVER_PORT</span></code>.</p>
</div>
</details></dd></dl>

</div>


          </div>
        </div>
      </div>
  <span id="sidebar-top"></span>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  
    
            <p class="logo"><a href="../../index.html">
              <img class="logo" src="../../_static/werkzeug.png" alt="Logo"/>
            </a></p>
  
<h3>Navigation</h3>
<ul>
  <li><a href="../../index.html">Overview</a>
    <ul>
      <li><a href="../index.html">Middleware</a>
        <ul>
          <li>Previous: <a href="../index.html" title="previous chapter">Middleware</a>
          <li>Next: <a href="../shared_data/index.html" title="next chapter">Serve Shared Static Files</a></ul>
      </li>
    </ul>
  </li>
</ul>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="https://werkzeug.palletsprojects.com/en/1.0.x/search/" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
  
    <div class="footer" role="contentinfo">
        &#169; Copyright 2007 Pallets.
      Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.8.5.
    </div>
    <script>
      if (typeof READTHEDOCS_DATA !== 'undefined') {
        if (!READTHEDOCS_DATA.features) {
          READTHEDOCS_DATA.features = {};
        }
        READTHEDOCS_DATA.features.docsearch_disabled = true;
      }
    </script>

  </body>

<!-- Mirrored from werkzeug.palletsprojects.com/en/1.0.x/middleware/proxy_fix/ by HTTrack Website Copier/3.x [XR&CO'2014], Tue, 15 Sep 2020 06:37:09 GMT -->
</html>